Is this a PUP detection or UPX-packer FP?

Viruses and worms
1

See: http://zulu.zscaler.com/submission/show/9d86dfe1e59b7d057702d9bd3d0790d1-1341163372
and
https://www.virustotal.com/file/5aef49ca0d5bfc5898bb6adba0b9a27711cbe9ebea38ed81239467a2272098d7/analysis/
UPX-packer FP or PUP detection?

polonus

2

latest scan is now 9/42
https://www.virustotal.com/file/5aef49ca0d5bfc5898bb6adba0b9a27711cbe9ebea38ed81239467a2272098d7/analysis/1341166815/

Malwarebytes detect it as PUP.Adware.Agent and not marked for removal

3

Just unpacked the file with a static unpacker for UPX,indeed it was packed bt UPX.
Results for the unpacked > https://www.virustotal.com/file/be0e282d21c487be905e63782a87f25fa2983b13c5895c20fca56df29163e198/analysis/1341170446/ .
Philip

4

Hi Philip,

We still see this again and again - heuristical and generic flags for packer protected executables, often not digitally signed.
And then we read comic reports like 6 files with this name found secure, one found suspicious.
Scans should come up with the packer detection like DrWeb’s url checker does:

Checking:htxp://download.u-tab.co.kr/dm4/A34209992/dm_install.exe
Engine version:7.0.2.4281
Total virus-finding records:2969957
File size:120.17 KB
File MD5:4b9ab6d34e371196762f5b7fe8c6ab64

htxp://download.u-tab.co.kr/dm4/A34209992/dm_install.exe packed by UPX

htxp://download.u-tab.co.kr/dm4/A34209992/dm_install.exe - Ok

Damian

5

This detection is not conclusive, at the moment we have 13 detections: https://www.virustotal.com/file/5aef49ca0d5bfc5898bb6adba0b9a27711cbe9ebea38ed81239467a2272098d7/analysis/1341217158/

As we see here: http://minotauranalysis.com/search.aspx?q=4b9ab6d34e371196762f5b7fe8c6ab64
Win 32 executable has been packed by Yoda’s Crypter (around since 2004), which has not found much momentum with malversants,
but it is not uncommon to run into a sample protected by it…so I like to mention that here as well,

polonus